AWSTemplateFormatVersion: '2010-09-09' Description: 'AWS CloudFormation Template: Single-node XQ Secure Gateway (qs-xxxxxx)' Metadata: QuickStartDocumentation: EntrypointName: Launch into an existing VPC Order: 2 AWS::CloudFormation::Interface: ParameterGroups: # AWS Environment - Label: default: AWS environment and machine configuration Parameters: - VPCID - PublicSubnet1ID - PublicSubnet2ID - PublicSubnet1CIDR - KeyPairName - InstanceType - SourceCIDR - MgmtCIDR # AWS Transfer Family - Label: default: AWS Transfer Family configuration Parameters: - SftpUserName - SftpPubKey - SftpBucketName # XQ Gateway - Label: default: Gateway configuration Parameters: - QuantumEndpoint - ValidationEndpoint - SubscriptionEndpoint - ManageEndpoint - XqApiKey - DashboardApiKey - TeamId - GatewayConfigId - TrustedRangeKey - HeartBeatInterval - MonitorSocket - GatewaySocket - RoutePort # QuickStart - Label: default: AWS Partner Solution configuration Parameters: - QSS3BucketName - QSS3KeyPrefix - QSS3BucketRegion ParameterLabels: # AWS Environment VPCID: default: Target VPC ID PublicSubnet1ID: default: Public subnet 1 ID PublicSubnet2ID: default: Public subnet 2 ID PublicSubnet1CIDR: default: Public subnet 1 CIDR KeyPairName: default: Key-pair name InstanceType: default: Instance type SourceCIDR: default: Source CIDR # AWS Transfer Family SftpUserName: default: SFTP user name SftpPubKey: default: SFTP public key SftpBucketName: default: SFTP bucket name # XQ Gateway QuantumEndpoint: default: Quantum service endpoint ValidationEndpoint: default: Validation service endpoint SubscriptionEndpoint: default: Subscription service endpoint ManageEndpoint: default: Management service endpoint XqApiKey: default: General XQ API key DashboardApiKey: default: Dashboard API key TeamId: default: XQ team ID GatewayConfigId: default: Gateway-configuration ID TrustedRangeKey: default: Trusted-range key HeartBeatInterval: default: Heartbeat interval MonitorSocket: default: Monitor socket GatewaySocket: default: Gateway socket RoutePort: default: Route port # Quickstart QSS3BucketName: default: Partner Solution S3 bucket name QSS3KeyPrefix: default: Partner Solution S3 key prefix QSS3BucketRegion: default: Partner Solution S3 bucket Region Parameters: # AWS Environment VPCID: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: VPC IDs can include numbers, lowercase letters, uppercase letters, and hyphens (-). Description: ID for target VPC. Type: String PublicSubnet1CIDR: AllowedPattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: The CIDR block parameter must be in the form x.x.x.x/x. Description: CIDR block for the public subnet located in Availability Zone 1. Type: String PublicSubnet1ID: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Subnet IDs can include numbers, lowercase letters, uppercase letters, and hyphens (-). Description: Subnet ID for public subnet 1. Type: String PublicSubnet2ID: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Subnet IDs can include numbers, lowercase letters, uppercase letters, and hyphens (-). Description: Subnet ID for public subnet 2. Type: String KeyPairName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: The key-pair name can include numbers, lowercase letters, uppercase letters, and hyphens (-). Must be the name of an existing EC2 key pair. Description: Name of an existing EC2 key pair to enable SSH access to the instances. Type: AWS::EC2::KeyPair::KeyName InstanceType: AllowedValues: - t3.small - t3.medium - t3.large - c5.large - c5.xlarge - m5.large - m5.xlarge ConstraintDescription: Must contain valid instance type. Default: c5.large Description: Type of Amazon EC2 instance. Type: String SourceCIDR: AllowedPattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: The CIDR block parameter must be in the form x.x.x.x/x. Description: CIDR address from which your gateway receives traffic. Type: String MgmtCIDR: AllowedPattern: ^([0-9]{1,3}\.){3}[0-9]{1,3}(\/([0-9]|[1-2][0-9]|3[0-2]))$ ConstraintDescription: The CIDR block parameter must be in the form x.x.x.x/x. Description: CIDR address from which you manage your gateway using SSH. Type: String # AWS Transfer Family SftpUserName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: The SFTP user name can include numbers, lowercase letters, uppercase letters, and hyphens (-). Description: User name for SFTP access. Default: sftpuser Type: String SftpPubKey: AllowedPattern: ^ssh-rsa AAAA[0-9A-Za-z+/]+[=]{0,3} ([^@]+@[^@]+)$ ConstraintDescription: Must be a valid SSH-2 RSA key. Description: Public key for SFTP access. Type: String SftpBucketName: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Bucket names can include numbers, lowercase letters, uppercase letters, and hyphens (-). It cannot start or end with a hyphen (-). Description: Unique name for the SFTP data bucket. Type: String # XQ Gateway QuantumEndpoint: AllowedPattern: ^https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)$ ConstraintDescription: Must be a valid URL. Description: URL for Quantum service endpoint. Default: https://quantum.xqmsg.net/v2 Type: String ValidationEndpoint: AllowedPattern: ^https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)$ ConstraintDescription: Must be a valid URL. Description: URL for validation service endpoint. Default: https://validation.xqmsg.net/v2 Type: String SubscriptionEndpoint: AllowedPattern: ^https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)$ ConstraintDescription: Must be a valid URL. Description: URL for subscription service endpoint. Default: https://subscription.xqmsg.net/v2 Type: String ManageEndpoint: AllowedPattern: ^https?:\/\/(?:www\.)?[-a-zA-Z0-9@:%._\+~#=]{1,256}\.[a-zA-Z0-9()]{1,6}\b(?:[-a-zA-Z0-9()@:%_\+.~#?&\/=]*)$ ConstraintDescription: Must be a valid URL. Description: URL for management service endpoint. Default: https://dashboard.xqmsg.net/v2 Type: String XqApiKey: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Valid XQ API keys can include numbers, lowercase letters, uppercase letters, and hyphens (-). They cannot start or end with a hyphen (-). Description: General API key generated from https://manage.xqmsg.com/applications. Type: String DashboardApiKey: AllowedPattern: ^[0-9a-zA-Z]+([0-9a-zA-Z-]*[0-9a-zA-Z])*$ ConstraintDescription: Valid XQ dashboard API keys can include numbers, lowercase letters, uppercase letters, and hyphens (-). They cannot start or end with a hyphen (-). Description: Dashboard API key generated from https://manage.xqmsg.com/applications. Type: String TeamId: AllowedPattern: ^[0-9]*$ ConstraintDescription: The XQ team ID is a 1-4 digit number. Description: Team ID that's associated with the XQ gateway. Type: String GatewayConfigId: AllowedPattern: ^[0-9]*$ ConstraintDescription: The gateway-configuration ID is a 1-4 digit number. Description: ID from the gateway-configuration page. Type: String TrustedRangeKey: AllowedPattern: ^[0-9a-zA-Z]*$ ConstraintDescription: Valid XQ trusted-range keys can include numbers, lowercase letters, and uppercase letters. Description: Gateway-configuration trusted-range key from the dashboard. Type: String HeartBeatInterval: AllowedPattern: ^[0-9]*$ ConstraintDescription: The heartbeat interval must be a number. Description: Number of seconds between client-server heartbeats. Default: 60 Type: String MonitorSocket: AllowedPattern: ^[0-9]*$ ConstraintDescription: The monitor socket must be a number. Description: Port number that the monitor application listens to for UDP updates from the gateway. Default: 9091 Type: String GatewaySocket: AllowedPattern: ^[0-9]*$ ConstraintDescription: The gateway socket must be a number. Description: Port number that the gateway listens to for UDP requests for the monitor. Default: 9092 Type: String RoutePort: AllowedPattern: ^[0-9]*$ ConstraintDescription: The route port must be a number. Description: Port that the XQSG receives traffic on. Used for security-group configuration. Type: String # QuickStart QSS3BucketName: AllowedPattern: ^[0-9a-z]+([0-9a-z-\.]*[0-9a-z])*$ ConstraintDescription: >- The S3 bucket name can include numbers, lowercase letters, and hyphens (-), but it cannot start or end with a hyphen. Default: aws-quickstart Description: >- Name of the S3 bucket for your copy of the deployment assets. Keep the default name unless you are customizing the template. Changing the name updates code references to point to a new location. Type: String QSS3KeyPrefix: AllowedPattern: ^([0-9a-zA-Z!-_\.\*'\(\)/]+/)*$ ConstraintDescription: >- The S3 key prefix can include numbers, lowercase letters, uppercase letters, hyphens (-), underscores (_), periods (.), asterisks (*), single quotes ('), open parenthesis ((), close parenthesis ()), and forward slashes (/). End the prefix with a forward slash. Default: quickstart-xq-message-zero-trust-gateway/ Description: >- S3 key prefix that is used to simulate a folder for your copy of the deployment assets. Keep the default prefix unless you are customizing the template. Changing the prefix updates code references to point to a new location. Type: String QSS3BucketRegion: Default: 'us-east-1' Description: >- AWS Region where the S3 bucket (QSS3BucketName) is hosted. Keep the default Region unless you are customizing the template. Changing the Region updates code references to point to a new location. When using your own bucket, specify the Region. Type: String Conditions: UsingDefaultBucket: !Equals [!Ref QSS3BucketName, 'aws-quickstart'] Resources: SGStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/xqsg-single-server-sg.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: VPCID: !Ref 'VPCID' SourceCIDR: !Ref 'SourceCIDR' MgmtCIDR: !Ref 'MgmtCIDR' RoutePort: !Ref 'RoutePort' GatewayStack: Type: AWS::CloudFormation::Stack DependsOn: - SFTPStack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/xqsg-single-server.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: InstanceType: !Ref 'InstanceType' KeyPairName: !Ref 'KeyPairName' PublicSubnetId: !Ref 'PublicSubnet1ID' SGID: !GetAtt 'SGStack.Outputs.SGID' PublicSubnet1CIDR: !Ref 'PublicSubnet1CIDR' QuantumEndpoint: !Ref 'QuantumEndpoint' ValidationEndpoint: !Ref 'ValidationEndpoint' SubscriptionEndpoint: !Ref 'SubscriptionEndpoint' ManageEndpoint: !Ref 'ManageEndpoint' XqApiKey: !Ref 'XqApiKey' DashboardApiKey: !Ref 'DashboardApiKey' TeamId: !Ref 'TeamId' GatewayConfigId: !Ref 'GatewayConfigId' TrustedRangeKey: !Ref 'TrustedRangeKey' HeartBeatInterval: !Ref 'HeartBeatInterval' MonitorSocket: !Ref 'MonitorSocket' GatewaySocket: !Ref 'GatewaySocket' SFTPStack: Type: AWS::CloudFormation::Stack Properties: TemplateURL: !Sub - 'https://${S3Bucket}.s3.${S3Region}.${AWS::URLSuffix}/${QSS3KeyPrefix}templates/xqsg-single-server-sftp.template.yaml' - S3Region: !If [UsingDefaultBucket, !Ref 'AWS::Region', !Ref QSS3BucketRegion] S3Bucket: !If [UsingDefaultBucket, !Sub '${QSS3BucketName}-${AWS::Region}', !Ref QSS3BucketName] Parameters: SftpUserName: !Ref 'SftpUserName' SftpPubKey: !Ref 'SftpPubKey' SftpBucketName: !Ref 'SftpBucketName' SGID: !GetAtt 'SGStack.Outputs.SGID' PublicSubnet1ID: !Ref 'PublicSubnet1ID' PublicSubnet2ID: !Ref 'PublicSubnet2ID' VPCID: !Ref 'VPCID' Outputs: VPCID: Description: VPC ID Value: !Ref 'VPCID' pubsub1: Description: Public Subnet ID Value: !Ref 'PublicSubnet1ID'